The GDC imposes a professional obligation to create l records for dental treatment that is provided to patients. This obligation is set out in Standards for Dental Practitioners paragraph 1.4:
'Make and keep accurate and complete patient records including a medical history, at the time you treat them. Make sure that patients have easy access to their records.'
The NHS GDS contract requires that records are made of any treatment provided. It also specifies the length of time that records must be kept, in accordance with the contract. The NHS contract currently requires records to be kept for two years in England, Wales and Scotland and six years in Northern Ireland, but Dental Protection’s advice is that clinical records should be kept for longer than this minimum period.
There are a number of pieces of legislation that require both NHS and private practitioners to keep records. These include: The Consumer Protection Act 1987 under which an action could arise for a defective product, the Medical Devices Directive (Directive 93/42/EEC), which relates to custom-made devices, the Medicines Act 1968 and the Misuse of Drugs Regulations 2001. In England, the Health and Social Care Act 2008 has led to the formation of the Care Quality Commission (CQC), which sets out detailed requirements for records. It is likely that the other UK jurisdictions will adopt similar requirements.
What do the regulations say?
Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2010
(1) The registered person must ensure that service users are protected against the risks of unsafe or inappropriate care and treatment arising from a lack of proper information about them by means of the maintenance of—
(a) an accurate record in respect of each service user which shall include appropriate information and documents in relation to the care and treatment provided to each service user; and
(b) such other records as are appropriate in relation to—
(i) persons employed for the purposes of carrying on the regulated activity, and
(ii) the management of the regulated activity.
(2) The registered person must ensure that the records referred to in paragraph (1) (which may be in paper or electronic form) are—
(a) kept securely and can be located promptly when required;
(b) retained for an appropriate period of time; and
(c) securely destroyed when it is appropriate to do so.
What should people who use services experience?
People who use services can be confident that:
- Their personal records including medical records are accurate, fit for purpose, held securely and remain confidential.
- Other records required to be kept to protect their safety and wellbeing are maintained and held securely where required.
This is because providers who comply with the regulations will:
- Keep accurate personalised care, treatment and support records secure and confidential for each person who uses the service.
- Keep those records for the correct amount of time.
- Keep any other records the Care Quality Commission asks them to in relation to the management of the regulated activity.
- Store records in a secure, accessible way that allows them to be located quickly.
- Securely destroy records taking into account any relevant retention schedules.
Access to records
Patients have a statutory right to see records made about their dental care. While they live this is under the Data Protection Act 1998. If they die, the right passes to those who may have a claim against their estate and arises under the Access to Health Records Act 1990.
Complaints and claims
Despite a practitioners efforts to ensure that patients are satisfied with their treatment; unfortunately, complaints and claims may arise. Without reference to contemporaneous records a dentist will be heavily disadvantaged in defending allegations. Detailed records of treatment can make the difference between robustly defending or needing to settle a case.
How long should records be retained?
This decision is not as simple as it seems. The Data Protection Act says that someone holding sensitive personal data (ie, dental records) should retain that information no longer than necessary. There is no definition of ‘necessary’; this will depend on individual circumstances.
The Department of Health has come to practitioners’ assistance by setting out some guidance in the Code of Practice on Retention/Disposal of Records under the NHS. By that guidance practitioners are encouraged to put a maximum period of 30 years on retention.
Short of 30 years the NHS code suggests the following:
- 11 years (adults)
- To the age of 25 years (children)
- 8 years (adults)
- To 25 years or 8 years post death (children)
Dental Protection’s advice would be to adopt the period of time set out under the NHS Code for Community care as an absolute minimum and to retain records for as long as possible. Dental Protection advises that records that relate to complex treatment or particularly difficult patients should be kept for longer, up to 30 years.
If a dentist decides that it is no longer necessary to keep a dental record, for example, 12 years have passed since an adult last attended for treatment, the record should be destroyed by choosing a method that will ensure that confidentiality is maintained (see section below)If that patient subsequently asks to see their record it is reasonable to say that they were destroyed because it was no longer necessary to keep them. Nowhere is there any suggestion that the patient should be told before destruction.
There are time limits for patients to make claims for compensation. Generally the time limit is three years from the date of knowledge, but the court does have the discretion to extend this period. Additionally for children time does not start to run until they are 18 years of age or the date of knowledge, whichever is the later date. This means that if a patient does not become aware of the problem for many years, for example if a patient has undiagnosed and untreated periodontal disease, the case against the practitioner may not be brought until many years after the treatment was provided.
A patient has indefinite entitlement to access his/her records if he is under a ‘disability’, as a result of an 'unsound mind'. If a patient falls into this category the usual time limits for patients to bring a claim do not apply. A dentist who is aware of a patient suffering such disability as would prevent him from conducting his life unassisted would be wise to make a note on the records and avoid destroying those in order to ensure that, if a claim were to develop or the patient’s representatives later to seek access, they are available.
Legal obligations about storage of dental records
A dentist must keep records safely and securely (Data Protection Act principle 7). Keeping them securely also requires that they are kept confidential (employed staff who have been instructed on your security policy are exempt). Access to the records by others must only be given if necessary, and with necessary and appropriate safeguards. The dentist is expected to make, and be able to demonstrate, an assessment of risk in deciding on appropriate security measures.
Is there a legal requirement about disposing of paper or computer held records?
The Information Commissioner gives detailed and useful guidance on security measures and how safely to destroy records, in particular computer records which, though deleted, often remain accessible. Provided you can show you have looked into your obligations, advised staff and attempted to take recommended steps, you are unlikely to be penalised.
Does a dentist have an obligation to disclose patient records whilst retained in their possession?
The right of access to records is either under the Data Protection Act or the Access to Health Records Act as above. A fee of up to £10 (£50 for manual records) can be charged and disclosure must take place as quickly as possible but in any event within 40 days of receipt of the request. Whatever fee is requested should be capable of being justified.
What should a dentist do if someone other than the patient asks for access to his confidential records?
A common example is that of the police contacting a dentist requesting access to the dental records of patients who attended a particular surgery to establish an address for what is obviously a known suspect. A dentist faced with this difficulty should contact Dental Protection for advice. It may be that the police have a Court Order or a Statutory Right to compel disclosure. In that situation there would be no breach of the dentist’s professional or common law duty to maintain confidentiality. If a request is made for the confidential information in connection with legal proceedings it is very unlikely that disclosure should take place unless a Court Order is produced. In any event, if a dentist is satisfied it is necessary to disclose, he must consider whether he should ask for the patient’s consent, whether he can anonymise the disclosure and limit the disclosure to the extent necessary. He should also think about whether any other individual name identified has consented to the disclosure and whether the records should be redacted before disclosure.
As a general rule, if a patient has not consented to disclosure of the confidential information, in the absence of a Court Order, disclosure is likely to be unreasonable. Dental Protection will give advice in relation to any request.
What about scanning records?
It is sensible to store records by scanning them and then destroying the originals but the 30 year maximum storage period applies in any event.
Scanning of orthodontic study models for long-term storage may also be appropriate, provided the scanned image files three-dimensional visualisation and do not lose any information that could be obtained from the original models. As study models may need to be referred to during active treatment and retention, Dental Protection’s advice would be that this is the minimum amount of time for which the original models should be retained before relying on scanned images alone.